Add: client certificate authentication released in cenclave-lib-sgx 1…

….1.0
Cosmian · Dec 20, 2024 · 3c4d728 · 3c4d728
1 parent dc6cb40
commit 3c4d728
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/cli/cenclave/src/cenclave/command/sgx_operator/spawn.py b/cli/cenclave/src/cenclave/command/sgx_operator/spawn.py
@@ -92,6 +92,12 @@ def add_subparser(subparsers):
         help="enclave size to spawn (must be a power of 2)",
     )
 
+    parser.add_argument(
+        "--client-certificate",
+        type=Path,
+        help="bundle for client certificate authentication",
+    )
+
     parser.add_argument(
         "--signer-key",
         type=Path,
@@ -157,6 +163,7 @@ def run(args) -> None:
         subject_alternative_name=args.san,
         app_id=uuid4(),
         expiration_date=int((datetime.today() + timedelta(days=args.days)).timestamp()),
+        client_certificate=args.client_certificate,
         app_dir=workspace,
         application=code_config.python_application,
         healthcheck=code_config.healthcheck_endpoint,

diff --git a/cli/cenclave/src/cenclave/core/sgx_docker.py b/cli/cenclave/src/cenclave/core/sgx_docker.py
@@ -1,7 +1,7 @@
 """cenclave.core.sgx_docker module."""
 
 from pathlib import Path
-from typing import Any, ClassVar, Dict, List, Tuple
+from typing import Any, ClassVar, Dict, List, Optional, Tuple
 from uuid import UUID
 
 from pydantic import BaseModel
@@ -17,6 +17,7 @@ class SgxDockerConfig(BaseModel):
     subject: str
     subject_alternative_name: str
     expiration_date: int
+    client_certificate: Optional[Path]
     app_dir: Path
     application: str
     healthcheck: str
@@ -29,7 +30,7 @@ class SgxDockerConfig(BaseModel):
 
     def cmd(self) -> List[str]:
         """Serialize the docker command args."""
-        return [
+        args = [
             "--size",
             f"{self.size}M",
             "--subject",
@@ -44,6 +45,12 @@ def cmd(self) -> List[str]:
             str(self.expiration_date),
         ]
 
+        if client_certificate := self.client_certificate:
+            args.append("--client-certificate")
+            args.append(client_certificate.read_text())
+
+        return args
+
     def ports(self) -> Dict[str, Tuple[str, str]]:
         """Define the docker ports."""
         return {"443/tcp": (self.host, str(self.port))}
@@ -123,6 +130,7 @@ def load(docker_attrs: Dict[str, Any], docker_labels: Any):
             subject_alternative_name=data_map["san"],
             app_id=UUID(data_map["id"]),
             expiration_date=int(data_map["expiration"]),
+            client_certificate=data_map.get("client-certificate"),
             app_dir=Path(app["Source"]),
             application=data_map["application"],
             port=int(port["443/tcp"][0]["HostPort"]),